Merge pull request #537 from aanand/tls

TLS support

Author: bfirsh

docs/cli.md

@@ -101,6 +101,8 @@ By default if there are existing containers for a service, `fig up` will stop an
 
 Several environment variables can be used to configure Fig's behaviour.
 
+Variables starting with `DOCKER_` are the same as those used to configure the Docker command-line client. If you're using boot2docker, `$(boot2docker shellinit)` will set them to their correct values.
+
 ### FIG\_PROJECT\_NAME
 
 Set the project name, which is prepended to the name of every container started by Fig. Defaults to the `basename` of the current working directory.
@@ -112,3 +114,11 @@ Set the path to the `fig.yml` to use. Defaults to `fig.yml` in the current worki
 ### DOCKER\_HOST
 
 Set the URL to the docker daemon. Defaults to `unix:///var/run/docker.sock`, as with the docker client.
+
+### DOCKER\_TLS\_VERIFY
+
+When set to anything other than an empty string, enables TLS communication with the daemon.
+
+### DOCKER\_CERT\_PATH
+
+Configure the path to the `ca.pem`, `cert.pem` and `key.pem` files used for TLS verification. Defaults to `~/.docker`.

docs/install.md

@@ -8,11 +8,11 @@ Installing Fig
 
 First, install Docker version 1.3 or greater.
 
-If you're on OS X, you can use the [OS X installer](https://docs.docker.com/installation/mac/). You'll also need to set an environment variable to point at the Boot2Docker virtual machine:
+If you're on OS X, you can use the [OS X installer](https://docs.docker.com/installation/mac/) to install both Docker and boot2docker. Once boot2docker is running, set the environment variables that'll configure Docker and Fig to talk to it:
 
-    $ export DOCKER_HOST=tcp://`boot2docker ip`:2375
+    $(boot2docker shellinit)
 
-If you want this to persist across shell sessions, you can add it to your `~/.bashrc` file.
+To persist the environment variables across shell sessions, you can add that line to your `~/.bashrc` file.
 
 There are also guides for [Ubuntu](https://docs.docker.com/installation/ubuntulinux/) and [other platforms](https://docs.docker.com/installation/) in Docker’s documentation.
 

fig/cli/command.py

@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 from __future__ import absolute_import
-from docker import Client
-from requests.exceptions import ConnectionError
+from requests.exceptions import ConnectionError, SSLError
 import errno
 import logging
 import os
@@ -12,7 +11,8 @@
 from ..project import Project
 from ..service import ConfigError
 from .docopt_command import DocoptCommand
-from .utils import docker_url, call_silently, is_mac, is_ubuntu
+from .utils import call_silently, is_mac, is_ubuntu
+from .docker_client import docker_client
 from . import verbose_proxy
 from . import errors
 from .. import __version__
@@ -26,6 +26,8 @@ class Command(DocoptCommand):
     def dispatch(self, *args, **kwargs):
         try:
             super(Command, self).dispatch(*args, **kwargs)
+        except SSLError, e:
+            raise errors.UserError('SSL error: %s' % e)
         except ConnectionError:
             if call_silently(['which', 'docker']) != 0:
                 if is_mac():
@@ -49,7 +51,7 @@ def perform_command(self, options, handler, command_options):
         handler(project, command_options)
 
     def get_client(self, verbose=False):
-        client = Client(docker_url())
+        client = docker_client()
         if verbose:
             version_info = six.iteritems(client.version())
             log.info("Fig version %s", __version__)

fig/cli/docker_client.py

@@ -0,0 +1,34 @@
+from docker import Client
+from docker import tls
+import ssl
+import os
+
+
+def docker_client():
+    """
+    Returns a docker-py client configured using environment variables
+    according to the same logic as the official Docker client.
+    """
+    cert_path = os.environ.get('DOCKER_CERT_PATH', '')
+    if cert_path == '':
+        cert_path = os.path.join(os.environ.get('HOME'), '.docker')
+
+    base_url = os.environ.get('DOCKER_HOST')
+    tls_config = None
+
+    if os.environ.get('DOCKER_TLS_VERIFY', '') != '':
+        parts = base_url.split('://', 1)
+        base_url = '%s://%s' % ('https', parts[1])
+
+        client_cert = (os.path.join(cert_path, 'cert.pem'), os.path.join(cert_path, 'key.pem'))
+        ca_cert = os.path.join(cert_path, 'ca.pem')
+
+        tls_config = tls.TLSConfig(
+            ssl_version=ssl.PROTOCOL_TLSv1,
+            verify=True,
+            assert_hostname=False,
+            client_cert=client_cert,
+            ca_cert=ca_cert,
+        )
+
+    return Client(base_url=base_url, tls=tls_config)

fig/cli/main.py

@@ -7,7 +7,7 @@
 from operator import attrgetter
 
 from inspect import getdoc
-import dockerpty
+from fig.packages import dockerpty
 
 from .. import __version__
 from ..project import NoSuchService, ConfigurationError

fig/cli/utils.py

@@ -62,10 +62,6 @@ def mkdir(path, permissions=0o700):
     return path
 
 
-def docker_url():
-    return os.environ.get('DOCKER_HOST')
-
-
 def split_buffer(reader, separator):
     """
     Given a generator which yields strings and a separator string,

fig/packages/__init__.py

@@ -0,0 +1,27 @@
+# dockerpty.
+#
+# Copyright 2014 Chris Corbyn <chris@w3style.co.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from .pty import PseudoTerminal
+
+
+def start(client, container):
+    """
+    Present the PTY of the container inside the current process.
+
+    This is just a wrapper for PseudoTerminal(client, container).start()
+    """
+
+    PseudoTerminal(client, container).start()